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Box No. I Basis of the report 



1 . With regard to the language, this report is based on 

the international application in the language in which it was filed 



□ a translation of the international application into , which is the language 
of a translation furnished for the purposes of: 

□ international search (under Rules 12.3(a) and 23.1(b)) 

□ publication of the international application (under Rule 12.4(a)) 

□ international preliminary examination (under Rules 55.2(a) and/or 55.3(a)) 

2 With regard to the elements* of the international application, this report is based on (replacement sheets which 
have been furnished to the receiving Office in response to an invitation under Article 14 are referred to in this 
report as "originally filed" and are not annexed to this report): 
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■|--|3 as originally filed 
Claims, Numbers 

■J .47 received on 19.05.2006 with letter of 16.05.2006 
Drawings, Sheets 

1 y5-5/5 as originally filed 

□ a sequence listing and/or any related table(s) - see Supplemental Box Relating to Sequence Listing 

3. □ The amendments have resulted in the cancellation of: 

□ the description, pages 

□ the claims, Nos. 

□ the drawings, sheets/figs 

□ the sequence listing (specify): 

□ any table(s) related to sequence listing (specify): 

4 □ This report has been established as if (some of) the amendments annexed to this report and listed below 
had not been made, since they have been considered to go beyond the disclosure as filed, as indicated in the 
Supplemental Box (Rule 70.2(c)). 

□ the description, pages 

□ the claims, Nos. 

□ the drawings, sheets/figs 

□ the sequence listing (specify): 

□ any table(s) related to sequence listing (specify): 

* If item 4 applies, some or all of these sheets may be marked "superseded, " 
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Box No. IV Lack of unity of invention 



1 . □ In response to the invitation to restrict or pay additional fees, tiie applicant has, within the applicable time 

limit: 

□ restricted the claims, 

□ paid additional fees. 

□ paid additional fees under protest and, where applicable, the protest fee. 

□ paid additional fees under protest but the applicable protest fee was not paid. 

□ neither restricted the claims nor paid additional fees. 

2. S This Authority found that the requirement of unity of invention is not complied with and chose, according to 

Rule 68.1 , not to invite the applicant to restrict or pay additional fees. 

3. This Authority considers that the requirement of unity of invention in accordance with Rules 13.1 , 13.2 and 13.3 
is: 

□ complied with. 

M not complied with for the following reasons: 
see separate sheet 

4. Consequently, this report has been established in respect of the following parts of the international application: 
M all parts. 

□ the parts relating to claims Nos. . 

Box No. V Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial 
applicability; citations and explanations supporting such statement 
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Industrial applicability (lA) 
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2. Citations and explanations (Rule 70.7): 
see separate sheet 



Form PCTyiPEA/409 (April 2005) 



9) 



INTERNATIONAL PRELIMINARY REPORT International application No. 

ON PATENTABILITY PCTyDK2005/000090 



Box No. Vil Certain defects in the international application 

The following defects in the form or contents of the international application have been noted: 
see separate sheet 
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Re item IV 

This Authority considers that there are three inventions covered by the claims indicated as 
follows: 

1: Claims 1-20 are directed to a method for generating an identification value for 
identifying an electronic massage in a MAC in which data representing the length L of the 
message are concatenated to the output or to an intermediate result. 
II: Claims 21 -40 are directed to a method for generating an identification value for 
identifying an electronic massage in a MAC in which an auxiliary hash function having a 
different compression rate is applied to an unprocessed data block if n does not divide the 
number ru, of input blocks. 

Ill: Claims 41-47 directed to method for generating an identification value for identifying 
an electronic message using a delta-universal hash function and a sum of the resulting 
number and a further block of data. 

The reasons for which the inventions are not so linked as to form a single general inventive 
concept, as required by Rule 13.1 PCT, are as follows: 

Although the problems dealt with by the independent claims 1 , 21 and 41 are linked or 
identical, the solutions defining the special technical features are not the same nor 
corresponding, contrary to Rule 13.2 PCT (see point V below). 

Re Item V 

Reasoned statement with regard to novelty, inventive step or industrial applicability; 
citations and explanations supporting such statement 

Reference is made to the following document: 

D1 : MATSUO T ET AL: "ON PARALLEL HASH FUNCTIONS BASED ON BLOCK- 
CIPHERS" lEICE TRANSACTIONS ON FUNDAMENTALS OF ELECTRONICS, 
COMMUNICATIONS AND COMPUTER SCIENCES, INSTITUTE OF ELECTRONICS 
INFORMATION AND COMM. ENG. TOKYO, JP, vol. E87-A, no. 1, January 2004 
(2004-01), pages 67-74, XP001 185960 ISSN: 0916-8508 
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The application concerns three methods (claims 1, 21 and 41) for generating an 
identification value for identifying an electronic message, three computer systems (claims 
19, 39, 46) programmed to carry out said methods as well as computer program products 
(claims 20, 40, 47) for performing said methods. 

The document D1 is regarded as being the closest prior art to the subject-matter of claim 1 
and shows (the references in parentheses applying to this document, see fig.3): 
a method for generating an Identification value based on parallel hash functions applied in 
a tree structure (three rounds) where a residual data block (mg) is passed without 
compression from the current level to another subsequent level (3rd level) in case n does 
not divide the number m; of input blocks for said current level. 

The subject-matter of claim 1 differs from this known method in that data which represent 
the length L of the message are concatenated to the output or one of the intermediate 
results. 

The subject-matter of claim 1 is therefore new (Article 33(2) PCT). 

The problem to be solved by the present invention may be regarded as how to avoid an 
intentional modification of the input message length which could not be detected by the 
known method. 

The solution to this problem proposed in claim 1 of the present application is considered 
as involving an inventive step (Article 33(3) PCT) for the following reasons: 
Appending data representing the length L of the input message during consecutive 
hashing is not know nor suggested by the prior art. 

Concerning method claim 21 , the closest prior art is also illustrated by D1 . 
The problem to be solved by method claim 21 is to find an alternative solution for avoiding 
the padding of zero blocks in the Damgard construction and thus to reduce the total 
number of hash functions. 

According to claim 21 this problem is solved by using an auxiliary hash function having a 
compression rate which is different from the compression rate of a first hash function. 
Using different compression rates during the generation of a MAC is not known nor 
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suggested in the prior art. 

Claims 2-18 are dependent on claim 1 and claims 22-38 are dependent on claim 21; as 
such they also meet the requirements of the PCT with respect to novelty and inventive 
step. 

Concerning method claim 41 the closest prior art is again illustrated by D1 . 

The problem to be solved is again to find an alternative for reducing the number of hash 

functions used during compression as compared to the Damgard constmction. 

According to claim 41 this problem is solved by computing the sum of the result of a delta- 
hash function and a further block which is not hashed. This processing step is not known 
nor suggested by the prior art. 

Claim 42-45 are dependent on claim 41 and as such also meet the requirements of the 
PCT with respect to novelty and inventive step. 

Claims 1 9 and 20, 39 and 40, 46 and 47 define computer systems and computer program 
products carrying out the methods of claims 1 , 21 and 41 respectively. As such they also 
meet the requirements of the PCT with respect to novelty and inventive step. 

Re Item VII 

Independent claim 1 is not in the correct two-part form in accordance with Rule 6.3(b) 
PCT, which in the present case is appropriate, with those features known in combination 
from'the prior art (document D1) being placed in the preamble (Rule 6.3(b)(1) PCT) and 
with the remaining features being included in the characterising part (Rule 6.3(b)(ii) PCT). 

In the present case, the following features are known in combination from the document 
D1 and belong in the preamble of such a claim: 

a residual data block is passed without compression from the current level to another 
subsequent level in case n does not divide the number of input blocks m, for said current 

level. 
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CLAIMS 

10 

1. A method for generating an identification value for identifying an electronic message in a 
Message Authentication Code (MAC) function by application of at least one first hash function 
with fixed compression that compresses n blocks of data into a number of blocks which Is 
smaller than n or into one single block, the hash function being repetitively applied in a tree- 

15 structure compression of the message, so that the message is being compressed in a 
plurality of tree-structure levels, each level receiving mi input blocks for compression, 
subscript i denoting a current level In the tree structure, whereby Intermediate resulting 
numbers are produced, wherein said at least one first hash function additionally receives at 
least one cryptographic key as an input, and wherein different cryptographic keys are used in 

20 different levels of the tree structure, the method comprising processing an output of the tree- 
structure compression further to obtain said identification value, 
charac t-g'rized in that 

- a residual data block Is passed without compression from the current level to another, 
subsequent level in case n does not divide the number of input blocks mi for said current 

25 level i, and in that 

- data which represent a length L of the message are concatenated to the output to obtain a 
concatenated output, and/or to at least one of the intermediate resulting numbers. 

2. A method according to claim 1, further comprising the step of inserting a set of predefined 
30 data at a predetermined position In the message, e.g. by appending the set of predefined 

data to the message, so that the length of the message with the appended set of data 
becomes a multiple of the length of the blocks. 

3. A method according to claim 1 or 2, wherein the tree-structure compression is performed 
35 until the number of blocks Is less than n, 

4. A method according to claim 3, wherein said length L represents the length of the message 
without said appended set of data. 

5. A method according to claim 4, wherein a hash function is applied to the concatenated 
40 output to obtain a compressed concatenated output, said hash function being one of: 

- the at least one first hash function; and 

- a second hash function. 
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6. A method according to any of the preceding claims, further comprising applying a further 
hash function to at least one of: 

- said output, 

5 - a further set of data derived from said output, 

- said concatenated output, and 

- said compressed concatenated output. 

7. A method according to any of the preceding claims, further comprising applying a 

10 cryptographic function to said output or to a further set of data derived from said output. 

8. A method according to claim 6 or 7, wherein at least one of: 

- said second hash function; and 

- said further hash function 

15 makes use of at least one cryptographic key. 

9. A method according to claim 8, wherein different cryptographic keys are used in one level 
of the tree structure. 

20 

10. A method according to claim 8, wherein the same cryptographic key is used in a single 
level of the tree structure. 

11. A method according to any of the preceding claims, wherein at least one of: 
25 - said first hash function; 

- said second hash function; and 

- said further hash function 
is a universal hash function. 

30 12. A method according to any of the preceding claims, wherein at least one of: 

- said at least one first hash function; 

- said second hash function; and 

- said further hash function 

comprises at least two different hash functions. 

35 

13. A method according to claim 12, wherein the at least two different hash functions 
compress different numbers n of blocks. 

14. A method according to claim 12 or 13, wherein at least one of the at least two different 
40 hash functions compresses a variable number n of blocks. 

15. A method according to any of claims 12-14, wherein the different hash functions use 
different cryptographic l<eys. 
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16. A method according to any of claims 8-15, comprising performing a plurality of tree- 
structure compressions of the message to obtain a plurality of results, and concatenating the 
plurality of results into a concatenated result. 

5 17. A method according to claim 16, wherein different cryptographic keys are applied in the 
plurality of tree-structure compressions. 

18. A method according to claim 16, wherein partly Identical cryptographic keys are applied 
in the plurality of tree-structure compressions. 

10 

19. A computer system comprising a memory and a processor, the processor being 
programmed to carry out the method of any of claims 1-18. 

20. A computer program product comprising means for performing the method of any of 
15 claims 1-18. 

21. A method for generating an identification value for identifying an electronic message in a 
Message Authentication Code (I^AC) function by application of at least one first hash function 
with fixed compression that compresses n blocks of data into a number of blocks which Is 

20 smaller than n or into one single block, the hash function being repetitively applied in a tree- 
structure compression of the message, so that the message is being compressed in a 
plurality of tree-structure levels, each level receiving m, input blocks for compression, 
subscript i denoting a current level in the tree structure, wherein said at least one first hash 
function additionally receives at least one cryptographic key as an input, and wherein 

25 different cryptographic keys are used in different levels of the tree structure, the method 
comprising processing an output of the tree-structure compression further to obtain said 

identification value, 
rharacterlzed \_n t; h a .t; 

the method comprises determining whether or not n divides the number of input blocks m, for 

30 said current level 1; and 

if n does divide m,: applying said at least one first hash function m,/n times; 

if n does not divide mf. 

- applying said at least one first hash function at most mj/n times, whereby at least one 
residual data block is left unprocessed by the first hash function; and 
35 - processing said at least one unprocessed data block by means of an auxiliary hash 

function which, in one single hash operation, compresses the at least one 
unprocessed data block into one single block, the auxiliary hash function having a 
compression rate, which is different from the compression rate of said first hash 
function. 

40 

22. A method according to claim 21, further comprising the step of Inserting a set of 
predefined data at a predetermined position in the message, e.g. by appending the set of 
predefined data to the message, so that the length of the message with the appended set of 
data becomes a multiple of the length of the blocks. 

45 



AMENDED SHEET 



•05-2006 

15739PCT00 



DK0500090 



23. A method according to claim 21 or 22, wherein the tree-structure compression is 
performed until the number of blocks is less than n. 

24. A method according to claim 23, further comprising the step of concatenating the output 
5 with data which represent a length L of the message to obtain a concatenated output, the 

length L representing the length of the message without said appended set of data. 

25. A method according to claim 24, wherein a hash function is applied to the concatenated 
output to obtain a compressed concatenated output, said hash function being one of: 

10 - the at least one first hash function; and 

- a second hash function. 

26. A method according to any of claims 21-25, furtfier comprising applying a furtiier hash 
function to at least one of: 

15 - said output, 

- a further set of data derived from said output, 

- said concatenated output, and 

- said compressed concatenated output. 

20 27. A method according to any of claims 21-26, further comprising applying a cryptographic 
function to said output or to a further set of data derived from said output. 

28. A method according to any of claims 21-27, wherein at least one of: 

- said at least one first hash function; 
25 - said second hash function; and 

- said further hash function 

makes use of at least one cryptographic key. 

29. A method according to claim 28, wherein different cryptographic keys are used in one 
30 level of the tree structure. 

30. A method according to claim 28, wherein the same cryptographic key is used in a single 
level of the tree structure. 

35 31. A method according to any of claims 21-30, wherein at least one of: 

- said first hash function; 

- said second hash function; and 

- said further hash function 
is a universal hash function. 

40 

32. A method according to any of claims 21-31, wherein at least one of: 

- said at least one first hash function; 

- said second hash function; and 

- said further hash function 

45 comprises at least two different hash functions. 
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33. A method according to claim 32, wherein the at least two different hash functions 
compress different numbers n of blocks. 

5 34. A method according to claim 32 or 33/ wherein at least one of the at least two different 
hash functions compresses a variable number n of blocks. 

35. A method according to any of claims 32-34, wherein the different hash functions use 
different cryptographic keys. 

10 

36. A method according to any of claims 28-35, comprising performing a plurality of tree- 
structure compressions of the message to obtain a plurality of results, and concatenating the 
plurality of results into a concatenated result, 

15 37. A method according to claim 36, wherein different cryptographic keys are applied in the 
plurality of tree-structure compressions. 

38. A method according to claim 36, wherein partly Identical cryptographic keys are applied 
in the plurality of tree-structure compressions. 

20 

39. A computer system comprising a memory and a processor, the processor being 
programmed to carry out the method of any of claims 21-38. 

40. A computer program product comprising means for performing the method of any of 
claims 21-38. 

41. A method for generating an identification value for identifying an electronic message, the 
method comprising the steps of: 

- processing at least one block of a set of data derived from the message into a resulting 
number by means of a delta-universal hash function ; and 

- computing a sum of the resulting number and a further block of data derived from the 
message to obtain a modified resulting number; 

- using the modified resulting number further to obtain said identification value. 

35 42. A method according to claim 41, wherein the hash function operates on a single block of 
data only. 

43. A method according to claim 41 or 42, wherein the delta-universal hash function is 
repetitively applied in a tree-structure compression of the message, so that the message is 
40 being compressed in a plurality of tree-structure levels, each tree-structure receiving m, input 
blocks for compression, the delta-universal hash function and the subsequent step of adding 
performing a compression of n data blocks into one single data block. 
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44. A method according to claim 43, wherein a residual data block is passed without 
processing thereof from a current level to another subsequent level in case n does not divide 
the number of input blocl<s mi for said current level i. 

5 45. A method according to any of claims 41-44, wherein the modified resulting number is 
determined by the function: 

(mi+k mod 2^^)-(LSR(mi,32)+LSR(k,32) mod 2^^)^m2vnod 

where mi and mz denote two of said blocks of data, LSR(x,y) denotes a logical-shift-right by 
y bits of input x, and k denotes a cryptographic key, whereby mi, mz and k are represented 
10 as 64 bit unsigned integers, 

46. A computer system comprising a memory and a processor, the processor being 
programmed to carry out the method of any of claims 41-45. 

15 47. A computer program product comprising means for performing the method of any of 
claims 41-45. 
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